KR20180137534A - Safeguarding against cryptographic power-law algorithms - Measures against error injection attacks - Google Patents

Abstract

In particular, a countermeasure using Montgomery multiplication properties is disclosed in order to secure a cryptographic system such as RSA and DSA, especially for a secure-error injection attack. In the proposed algorithm, the binary power b = a ^d mod n is repeatedly calculated using Montgomery multiplication when the current bit (d _i ) of the exponent (d) is equal to zero. In that case, a Montgomery multiplication of the actual result of the power calculation by R is realized. By virtue of this measure, if there is any disturbance of the error injection type introduced during the calculation, it is possible to have a visible effect on the final result that this attack becomes ineffective to infer the current bit (d _i ) of the private key d will be.

Description

Safeguarding against cryptographic power-law algorithms - Measures against error injection attacks

The present invention relates to countermeasures against a saf-error error injection attack on a cryptographic power-of-squared algorithm.

In particular, the invention finds application in a cryptographic method comprising modular power calculation for generating a second message (b) from a first message (a), wherein b = a ^d modulus n, Key, and n is a shared modulus. In this application, the present invention can be used to adhere to a cryptographic method for intrusion attacks such as a safe-error fault injection attack. More specifically, the present invention proposes to use countermeasures based on the Montgomery calculation.

The approach described in this section can be pursued, but it is not necessarily an approach that has been previously considered or pursued. Therefore, unless otherwise indicated herein, the approach described in this section is not prior art to the claims of the present application, nor is it recognized as prior art to be included in this section.

Modular power is used especially in cryptography such as RSA or DSA. RSA is a cryptographic technique used to encrypt clear text messages and decrypt encrypted messages, DSA is a cryptographic technique used to generate signatures for a given message and to validate such signatures. These techniques use the logic of the public key.

For RSA, the efficiency of cryptographic techniques is based on the difficulty of factoring large numbers of hackers. RSA was named after the inventors, namely, Rivest, Shamir, and Adleman's initials, which were introduced in 1977 (Rivest, RL, Shamir, A., Adelman, LM: "A method for obtaining digital signatures and public-key cyptosystems ", Technical Report MIT / LCS / TM-82, 1977). It was patented in the US by MIT in 1983. The US patent expired on September 22, 2000.

DSA (Digital Signature Algorithm) is an algorithm standardized by NIST in the United States. These algorithms are part of the Digital Signature Standard (DSS), which was implemented in 1993.

Modular power is an important operation for public key cryptography such as RSA or DSA. The result of this modular power gives rise to a second message b by calculating b = a ^d mod n, where the exponent d is a non-null integer corresponding to the private key and n is a large integer share Modulus. Indeed, it has proved impossible for an attacker to deduce a personal index (k) from a known couple (a, b).

, 여기서

로 표현될 수 있다.One way to implement modular powers in cryptographic algorithms is to use binary decomposition of the exponent. This so-called " binary exponentiation " method is also known as a " square-and-multiply " method. It was described by Knuth in 1997. The idea behind this method is to use a binary representation of the exponent ^d to compute a ^d . Therefore, power operations are separated by a series of squared operations and multiplication operations. Assuming that k denotes the bit-length of the exponent d, the exponent is expressed as d = (d _k-1 d _k-2 ... d ₁ d ₀ ) ₂ in the binary representation and

, here

. ≪ / RTI >

The binary power method can speed up the power calculation. The binary power algorithm can be implemented by the following exemplary pseudo-code, where the power is calculated as it proceeds from the most significant bit (MSB) of the exponent d to the least significant bit (LSB) of the exponent.

The computational complexity for this algorithm is 2x (k / 2) + 1x (k / 2) = 1.5xk for evaluating ad mod n. Therefore, such an algorithm is suitable for resource-limited devices.

However, a computation performed on each bit of the exponent equal to the binary value '1' may reveal the private key (d) to the hacker. This can be achieved by analyzing the device power consumption when the decryption process is performed. Indeed, significantly higher power is consumed by the computer unit when computation is performed by the computer unit, compared to power consumption without execution computation. Therefore, the consumption consumption of each moment of the binary power-up depends on the binary value of the current bit of the exponent being processed, so monitoring the decreasing current by calculation can easily reveal each bit of the exponent.

Several options have been considered to address this problem. In particular, the introduction of countermeasures has been proposed to prevent any variation of the computational load that occurs while a signature is being computed or verified being detected by a hacker.

Therefore, one measure for this attack known as " Square-And-Multiply-Always " is that, instead of doing nothing, if the scanned bit is '0' calculation. Such a dummy calculation may be, for example, a modular multiplication of a message by a constant or an arbitrary number. In that case, the pseudo-code of the binary power-law algorithm is as follows.

However, these measures are vulnerable to another type of attack called a "fault injection attack". The error injection attack identifies the private key by analyzing the mathematical and statistical properties of the incorrectly calculated results, based on the concept of introducing erroneous data into the cryptographic computation. In fact, by disturbing the execution flow of the modular power, comparing the (wrong) result with the expected result can reveal information about the manipulated secret data.

This attack uses the fact that error injection is ineffective during step (2) because the multiplication is a dummy operation when the current bit of the index of the private key is equal to zero. Therefore, the attack is performed by potentially introducing a random random calculation error during the dummy multiplication. The exponent bits can be obtained by checking the accuracy of the output.

More specifically, introducing disturbances in step (2) of the process performed by the exemplary pseudo-code does not affect the end result if the in-place multiplication was in effect a dummy multiplication. In the same way, the disturbance introduced in step (2) of the iterative calculation has a visible effect on the final result if the in-place multiplication is an actual multiplication. this is,

- If the final result is different from the budgeted one, it means that during the actual multiplication, a perturbation has been made and exposes the scanned bit '1'

If the final result does not change, it means that during the dummy multiplication, the disturbance has been done, revealing the scanned bit '0'.

By repeating this attack on each bit of the exponent and by analyzing the implications of the end result, the hacker can recover the whole index. If this index is important data such as an RSA private key, it can be very harmful.

There is another type of error called " safe-error fault injeciton ", i.e., an error that keeps the power output unchanged. Consider a second-safe error attack, that is, an attacker injecting two errors during the same computation and observe whether the result is valid or not. The attacker injects an error during the multiplication in step (i) of an arbitrary number exponent (a ^r ) and injects another error during the multiplication in step (i) of the exponent (a ^{r *} ) where r * = dr Think about it. These two errors, if (r _i , r * _i ) = (0,0), have no effect on the computation. By repeating the process, the attacker obtains an estimate of the probability to obtain (0, 0) for the bit in the binary rank (i) of his choice. This probability is strongly correlated with the value of the bit (d _i ). These observations allow the attacker to learn the secret index. It is described in detail in the article "FAULT ANALYSIS IN CRYPTOGRAPHY" by Joye, Tunstall, Chapter 7/8.

을 계산할 수 있고, 여기서, k는 임의의 정수이고,

는 오일러의

함수이다. n = p.q가 RSA 모듈러스인 경우, 이는

를 낳는다. 그러므로, 지수는

가 된다. 오류 주입 공격을 효율적으로 좌절시키기 위해, 적어도 32-비트 길이 임의의 정수 k를 사용하는 것이 고려될 수 있다. 그러나, 지수는 매우 길게 되었고, 그래서 전제 거듭제곱의 계산은 현저하게 더 시간 소요된다.Another countermeasure consists in randomizing the exponent, as described in patent document WO 98/52319. ≪ Desc / Clms Page number 2 > PUBLIC KEY SCHEMES FROM TIMING AND FAULT ATTACKS. Instead of calculating a ^d mod n ,

, Where k is an arbitrary integer,

Of Euler

Function. If n = pq is RSA modulus,

. Therefore,

. In order to effectively frustrate the error injection attack, it is contemplated to use an arbitrary integer k of at least 32-bit length. However, the exponent became very long, so the calculation of the precondition power takes significantly longer.

French patent FR 2884088 entitled " CRYPTOGRAPHIC METHOD AND DEVICE FOR PROTECTING PUBLIC-KEY SOFTWARE AGAINST FAULT ATTACKS " discloses decomposing the calculation into two distinct computational steps, ultimately recombining the final result. According to the method disclosed, the index is decomposed into d = d ₁ + d ₂ in any manner, On the one hand this a ^d1 mod n, and on the other hand this a ^d2 mod n are calculated, and finally, two The obtained results are multiplied to obtain the final result. However, this requires twice the computation to be performed.

Other possible countermeasures include the use of an additional chain ("SECURING RSA AGAINST FAULT ANALYSIS BY DOUBLE ADDITION CHAIN EXPONENTIATION", Rivain, https: veprint.iacr.orq.2009.165.pdf). It requires additional temporal variables to be updated with each other for each bit. Throughout the calculations, these two variables satisfy a common relationship that can be ascertained at the end of the power-up process. If this relationship is not maintained, the computation can be disturbed and additional measures can be taken. This countermeasure requires another register to store the second temporal variable and also requires final verification, thus requiring additional computation.

Patent EP 2222012 entitled " METHOD AND DEVICE FOR COUNTERING FAULT ATTACKS " discloses a method consisting of using a common exponent " e " to verify that the result is correct. Of course, that means calculating additional powers and final comparisons.

The method described in patent US 8,139,763, entitled " RANDOMIZED RSA BASED CRYPTOGRAPHIC EXPONENTIATION RESISTANT TO SIDE CHANNEL AND FAULT ATTACKS ", consists of randomizing exponents. The resulting randomized exponent is larger, meaning more computational loops.

Finally, the concept of the method disclosed in patent EP 1531579 " RSA PUBLIC KEY GENERATION APPARATUS, RSA DECRYPTION APPARATUS, AND RSA SIGNATURE APPARATUS " is to add additional (expensive) calculation and final confirmation.

All of the above measures suggesting an additional separate operation degrade performance in particular. The presence of an error failure analysis attack requires special management when performing cryptographic application protection without performance degradation.

Taking the above into consideration, there is a need for improved countermeasures against possible attacks of the type of safe-error injection by providing a simple and efficient alternative to the existing solutions as presented above.

In order to solve such a demand,

Receiving a first message (a);

를 가진

이며, n은 양의 정수 모듈러스이고, R은 n보다 큰 g의 가장 작은 멱(power)으로 정의된 몽고메리 상수이고, g는 기계-단어 기반(machine-word base)임 - 를 포함하되,B) generating a second message (b) by calculating a modular power b = a ^d mod n , wherein d is a binary value, such as d = (d _k-1 d _k-2 ... d ₁ d ₀ ) Expressed as an integer, the variable

With

Where n is a positive integer modulus, R is a Montgomery constant defined as the smallest power of g greater than n, and g is a machine-word base,

Calculating the modular power, b = a ^d mod n ,

Initiating a first variable with R modulus n,

d _i a _{d k-1, d k-} 2, ... d 1 d _0, and takes a value in each row, the step of calculating a number k times an iterative process wherein each iteration of the iterative process is, d _i is 0, a cryptographic method of inserting a measure to replace the first variable by the Montgomery multiplication of the first variable and the R modulus n is proposed.

In one embodiment, computing the modular power b = a ^d mod n uses a Montgomery transform,

Initiating a first variable and a second variable with an R modulus n and an R modulus n, respectively,

d _i consecutively taking values of d _k-1 , d _k-2 , ... d ₁ and d ₀ , respectively, to calculate a number k iterative process, - calculating a first variable by said first variable and its own modulus n If d _i is equal to 1, replacing the first variable by a Montgomery multiplication of the first variable and the second variable modulus n, and if d _i is equal to 0, replacing the first variable with a Montgomery multiplication of Inserting a measure to replace the first variable with a Montgomery multiplication of the first variable and R modulus n,

And replacing the first variable by a Montgomery multiplication of the first variable and 1 modulus n.

In the case of an RSA cryptographic operation or a decryption operation, the message a is an encrypted message c and the message b is a clean text message m.

In the DSA cryptographic system, the first message (a) is an integer h, the second message (b) is a public key (y), and the exponent (d) is a secret key (x).

In other words, so-called, instead of calculating the dummy multiplication dummy = dummy × c mod n, such as "square-and-multiply all the time (Square-and-Multiply Always) " measures, the present invention result = MontMul (result, R, n ) , Where MontMul denotes a Montgomery multiplication operation applied to a set of operations (result, R, n). As such, some disturbance of any computation and / or the result of such computation will result in the modification of the final result of the binary power calculation.

Specifically, the Montgomery multiplication is described in "Handbook of Applied Cryptography, by Menezes, van Oorschot, and Vanstone, Chapter 14".

Those skilled in the art will recognize that introducing such an operation instead of a dummy operation does not modify the end result due to the definition of Montgomery multiplication.

Nonetheless, adding this countermeasure affects that during any modular power, such as an RSA algorithm, random disturbances at any instant of the power-up algorithm will cause a correction of the final result. This advantage derives from the fact that this countermeasure operation is linked to the end result.

In other words, while the use of Montgomery multiplication does not affect the binary power calculation in the normal case, the above-mentioned property provides a result that any error introduced into this calculation domain will have a visible effect of the final result do.

Therefore, the present invention provides a method and system for suppressing possible attacks of the saf-error injection type by using Montgomery multiplication in the calculation of modular powers during the power-up of any public key cryptography (RSA, DSA, etc.) It provides a simple and effective solution.

The use of Montgomery multiplication in this way is novel and not easy, even if intentionally used to speed up modular power calculation.

Preferably, the embodiment of the proposed solution provides a fast and light detoxification process useful in any public key cryptography. In fact, this solution is faster than conventional methods, since this solution does not require the use of additional verification operations to ensure that no saf error is introduced during calculation, considering that no error is known to the hacker to be. Also, since the algorithm does not require additional registers to store additional data, it is lighter than readily available techniques. Therefore, it is memory-optimized. In other words, the proposed " Montgomery multiplication " countermeasure is a preferred alternative to other countermeasures that are resilient to a costly error-correcting injection attack that is very costly in terms of computational performance and memory capacity.

In addition, the present invention can be compatible with additional optimizations that can be performed to speed up calculations, such as sliding window algorithms.

A second aspect of the present invention relates to a computer program product comprising instructions of one or more stored sequences that when executed by a processor cause the processor to perform steps of the method of the first aspect of the present invention, .

Finally, in a third aspect of the present invention,

An interface for receiving a first message (a)

를 가진

이며, n은 양의 정수 모듈러스이고, R은 n보다 큰 g의 가장 작은 멱(power)으로 정의된 몽고메리 상수이고, g는 기계-단어 기반(machine-word base)임 - 를 포함하되,A computer unit configured to generate a second message (b) by calculating a modular power b = a ^d mod n , wherein d = (d _k-1 d _k-2 ... d ₁ d ₀ ) Similarly, an integer represented as a binary representation,

With

Where n is a positive integer modulus, R is a Montgomery constant defined as the smallest power of g greater than n, and g is a machine-word base,

The computer unit is further programmed to calculate a modular power b = a ^d mod n ,

Start the first variable with R modulus n,

d _i a _{d k-1, d k-} 2, ... d 1 d _0, and takes a value in each row, the number k calculated times an iterative process wherein each iteration of the iterative process is, and d _i is 0 And if so, inserting a measure to replace the first variable with a Montgomery multiplication of the first variable and R modulus n.

In one embodiment, the computer unit is configured to use the Montgomery transform to calculate the modular power b = a ^d mod n ,

The first variable and the second variable are expressed as R modulus n and a x R modulus n, respectively,

d _i takes values of d _k-1 , d _k-2 , ... d ₁ and d ₀ , respectively, and calculates the number k iterative process - calculating the first variable by the first variable and the self modulus n, If d _i is equal to 1, replacing the first variable by a Montgomery multiplication of the first variable and the second variable modulus n, and if d _i is equal to 0, substituting the first variable by the Montgomery multiplication of the first variable and the second variable modulus n, One measure is to insert a Montgomery multiplication of the R modulus n,

The first variable is replaced with the Montgomery multiplication of the first variable and 1 modulus n.

Such a cryptographic system may be, for example, RSA or DSA cryptography.

In some embodiments, the machine-word-based (g) may be equal to 2 ³² .

Embodiments of the present invention are illustrated by way of example and not of limitation, in the figures of the accompanying drawings, like reference numerals refer to like elements.
Figure 1 is a flow chart illustrating the steps of a " squared-and-multiply-always " type algorithm for computing binary powers without the proposed " Montgomery multiplication &
FIG. 2 is a flow chart illustrating the steps of an algorithm for calculating a binary power calculation with the Montgomery multiplication measure. FIG.
3 is a block diagram of an embodiment of a cryptographic method according to a third aspect of the present invention applied to executing a computer program product according to the second aspect.

Referring to the flowchart of FIG. 1, an embodiment of a binary algorithm for computing the power b = a ^d mod n , without the proposed " Montgomery multiplication " countermeasure, will be described first. In other words, FIG. 1 shows a flowchart of a method in which measures such as, for example, "Square-And-Multiply Always" are introduced into a binary power-up process.

In the case of an RSA cryptographic operation or decryption operation, message a is an encrypted message C and b is a clean text message m.

In the DSA cryptographic system, the first message (a) is an integer h, the second message (b) is a concatenation key (y), and the exponent d is a secret key (x).

The algorithm according to the illustrated embodiment includes the following steps 11-16.

At 11, various inputs used in decryption operations are defined, which include shared modulus (n), private key (d) and first message (a).

In one embodiment, the shared modulus n is a large number. In one example, n may be a prime number. However, it will be understood by those skilled in the art that the embodiments of the present invention are not intended to be limited to these examples.

The private key d may be represented as a binary expression such as d = (d _k-1 d _k-2 ... d ₁ d ₀ ) ₂ , where k is an integer greater than one.

12, the variables result and dummy both start with 1, i.e., result = 1 and dummy = 1.

13, a for-loop process is started, which starts at index (i) ranging from k-1 to 0 down respectively, i.e. starting at the MSB (most significant bit) For each of the k binary elements (bits) d _k-1 , d _k-2 , ... d ₁ and d ₀ of the exponent d terminated in LSB (least significant bit) .

At 14, the square of the variable result is realized. More specifically, the variable result is replaced by result × result mod n .

If the current bit of the exponent (d _i ) is equal to '1', at 15, the result result is replaced by result x a mod n .

Otherwise, if the current bit (d _i ) of the exponent is equal to '0', the measure dummy × a mod n is inserted at 16. This is obtained by replacing the variable result with dummy × a mod n .

The concept behind the present invention is to replace dummy operations with other operations that always have a visible effect on the final result a ^d mod n .

A simple method is to replace the dummy operation by 1. The end result will not be affected in the absence of perturbation, and disturbance during such computation will result in a high probability of modification of the end result. Therefore, in some cases, it can respond to an error injection attack. However, since the Hamming weight of '1' is 1, modification of this unique bit will result in null output. Hence, it gives information about the operation being performed and can help a hacker infer the value of the private key.

A more secure way to achieve the same result is, according to embodiments, to use Montgomery multiplication.

Although the modular power is considered a complex arithmetic operation due to intrinsic multiplication and division operations, the mathematician Peter L. Montgomery (1995) multiplies two integer (n-modulo) modulo n The modular reduction algorithm is introduced. In the technical literature (see, for example, "Handbook of Applied Cryptography", Menezes, van Oorschot, Vanstone, Chapter 14), Montgomery calculus properties were used to speed up the multiplication required for modular multiplication and power. Montgomery reduction is performed after simple, long-integer multiplication is performed, and the Montgomery reduction is a "inverse" operation of the so-called Montgomery transformation.

In other words,

n is a large integer modulus,

p is an integer less than 2n (i.e., p < 2n)

Assuming that R is a so-called Montgomery constant,

The Montgomery form of a is defined as p x R mod n,

The Montgomery reduction is defined as p x R ^-1 mod n, where R ^-1 is the inverse of R,

Montgomery multiplication MontMul computes the value p × q × R ^-1 mod n for the input (p, q, n).

Referring to the flowchart of FIG. 2, an exemplary embodiment of the first aspect of the present invention will now be described. This aspect relates to a cryptographic method based on an algorithm for calculating power a ^d modulus n with Montgomery multiplication measures proposed according to an embodiment of the present invention. The so-called Montgomery constant (R) is defined as the smallest power of g greater than n, where g is machine-word based (on a 32-bit system, for example, g = 2 ³² ). In one example, g is equal to 2 ³² . However, since g may be equal to 2 ¹⁶ or 2 ⁶⁴ , for example, it is purely descriptive.

At 21, various inputs used by the computer means to perform the method are defined or received, such as modulus (n), d = (d _k-1 d _k-2 ... d ₁ d ₀ ) ₂ (D) expressed in binary representation and the first message (a).

At 22, the variables result and a start with R mod n and a x R mod n, respectively, and R is the smallest power of f that is greater than n.

At 23, a k-binary element of exponent (d), i. E., For-loop implementation of bits k-1 through 0 is started. More specifically, in this example, the k bits of the exponent d are processed from the MSB to the LSB. It will be appreciated by those skilled in the art that performing calculations from LSB to LSB is also a valid option.

At 24, the Montgomery multiplication of the squared variable result (ie, result × result ) is performed: result × result × R ^-1 mod n .

25, if the bit (d _i ) of the exponent d is equal to '1', the Montgomery multiplication of result and a, ie, result × a × R ^-1 modulus n is calculated and the result variable is updated, The same shall be substituted.

The measure to realize Montgomery multiplication of result and R is inserted at 26 when the current bit of exponent is equal to '0'. More specifically, the result variable is replaced by result x R x R ^-1 modulus n .

At 27, the process returns to its normal form in Montgomery format and ends. This can be achieved by calculating the Montgomery multiplication result of the first. That is, result is replaced by result × 1 × R ^-1 modulus n .

One of the well-known countermeasures in the art consists in adding a dummy multiplication in a binary power-of-two algorithm. According to an embodiment of the present invention, it is proposed to change this dummy multiplication by performing the Montgomery multiplication, MontMul (result, R, n) .

Using this method, the perturbation and / or steps of any operator in this computation dynamics cause the hacker to be unable to identify the current bit (d _i ) of the private key d, Because it will cause. Thus, the proposed countermeasures are effective for saf-error error injection attacks.

Modification of the dummy multiplication by the Montgomery multiplication will not modify the final result in the normal case, that is, without any injection attack, because of the Montgomery multiplication definition that provides the following identification characteristics.

MontMul (result, R, n) = result x R x R ^-One  mod n = result mod n

A particularly advantageous effect of the present invention is achieved when the method is used while the modular power is calculated using the Montgomery transform. Indeed, the consumption signatures of the Montgomery multiplication can be different from those of the modulo multiplies, so the advantage of using the proposed &quot; Montgomery multiplication &quot; when the modulo powers are calculated using the Montgomery transform is that d _i is & , And when d _i is equal to '1', it totally eliminates any difference in power consumption for the calculations performed.

However, those skilled in the art will recognize that it is not necessary to calculate the modular power using the Montgomery transform. Actually, the Montgomery multiplication measure according to the embodiment of the present invention can be executed only by changing the iterative process in the case where d _i is equal to '0'. In this implementation, all other steps are the same as those of Figure 1, where the standard &quot; dummy calculation &quot; is used. In particular, iterative processing when d _i is equal to '1' may be standard, modular multiplication.

In an embodiment, a power algorithm including the proposed &quot; Montgomery multiplication &quot; countermeasure can be executed, for example, by the following pseudocode.

With reference to the block diagram of FIG. 3, an embodiment of the cryptographic method according to the third aspect of the present invention will now be described. Such cryptography may include a computer unit configured to execute a computer program product comprising instructions of one or more stored sequences accessible to a processor and to cause the processor to perform a cryptographic method when executed by the processor .

In the illustrated embodiment, the computer unit 30 comprises at least one processor 31, at least one memory 32 for storing data used during calculations by the processor 31, And at least one rewritable non-volatile memory 33 used to store specific parameters or execution commands for performing the method appropriately.

The memory 32 may be, for example, any suitable type of random access memory (RAM), such as SRAM, DRAM, or SDRAM. The memory 33 may be any suitable type of read-only memory (ROM), such as an EPROM or flash memory.

The cryptography is used to receive a message a such as a message c to be decrypted in the context of RSA and to send a message b such as clean text m when decrypted in the context Interface 34 (I / F).

The present invention does not require the use of additional acknowledgment to ensure that a saf error error has not been introduced during the calculation. It enables a faster calculation of the algorithm. In addition, such an algorithm is memory-optimized because it does not require additional registers to store additional data.

It is not affected by simple power analysis (SPA). SPA is based on the basic idea that multiplication and squaring may not result in the same power consumption. Therefore, hackers are passive attacks that monitor power tracing of cryptographic devices that perform modular powers. From power tracking, it is also expected to recover the sequence of squaring and multiplication actually performed to infer important information used in cryptography.

Embodiments of the present invention have been described above in the context of decryption operations within the RSA algorithm. It should be noted, however, that the present invention is not limited to these examples, but may be implemented in many other public key cryptographic systems (cryptography), such as DSA.

The present invention also contemplates that the computing device may be configured to &lt; RTI ID = e, f, R, may be used in any applications running operation to compute the computation of e × f × R ^-1 mod n bit for n. In that case, the device first computes e '= e x R mod n and f' = f x R mod n to transform the variables e and f to Montgomery form, and then e ' And &lt; RTI ID = 0.0 &gt; f '. &Lt; / RTI &gt;

Finally, it will be further appreciated by those skilled in the art that the proposed method is compatible with example implementations of various known and further optimization processes to speed up computation, such as, for example, a sliding window algorithm.

Claims (12)

Receiving a first message (a);
B) generating a second message (b) by calculating a modular power b = a ^d mod n , wherein d is a binary value, such as d = (d _k-1 d _k-2 ... d ₁ d ₀ ) Expressed as an integer, the variable

With

Where n is a positive integer modulus, R is a Montgomery constant defined as the smallest power of g greater than n, and g is a machine-word base,
Calculating the modular power, b = a ^d mod n ,
Initiating a first variable with R modulus n,
d _i a _{d k-1, d k-} 2, ... d 1 d _0, and takes a value in each row, the step of calculating a number k times an iterative process wherein each iteration of the iterative process is, d _i is 0, &lt; / RTI &gt; a cryptographic method is inserted that replaces the first variable with a Montgomery multiplication of the first variable and R modulus n. 2. The method of claim 1, wherein computing the modular power b = a ^d mod n uses Montgomery conversion,
Initiating a first variable and a second variable with R modulus n and c X R modulus n, respectively,
d _i consecutively taking values of d _k-1 , d _k-2 , ... d ₁ and d ₀ , respectively, to calculate a number k iterative process, - calculating a first variable by said first variable and its own modulus n If d _i is equal to 1, replacing the first variable by a Montgomery multiplication of the first variable and the second variable modulus n, and if d _i is equal to 0, replacing the first variable with a Montgomery multiplication of Inserting a measure to replace the first variable with a Montgomery multiplication of the first variable and R modulus n,
And replacing the first variable by a Montgomery multiplication of the first variable and a modulo n. The cryptographic method according to claim 1, wherein in the case of an RSA cryptographic operation or a decryption operation, a is an encrypted message (c) and b is a clean text message (m). 2. The cryptographic method according to claim 1, wherein in the case of a DSA cryptographic system, a is an integer (g), b is a public key (y), and the exponent (d) is a secret key (x). 3. The cryptographic method according to claim 1 or 2, wherein the modulus n is the shared modulus of the public key cryptographic system. 6. The cryptographic method according to any one of claims 1 to 5, wherein the integer d is the private key of the public key cryptographic system. 7. The cryptographic method according to any one of claims 1 to 6, wherein the integer d is a 16-bit length or any integer of 32-bit length. 8. The cryptographic method according to any one of claims 1 to 7, further comprising the execution of a sliding window optimization algorithm to speed up the calculation. 9. A method according to any one of claims 1 to 8, wherein the processor is accessible and when executed by a processor is adapted to perform the steps of the method of any one of claims 1 to 6, &Lt; / RTI &gt; An interface 34 for receiving the first message a,
A computer unit 30 configured to generate a second message b by calculating a modular power b = a ^d mod n comprises: d = (d _k-1 d _k-2 ... d ₁ d ₀ ), and the variable &lt; RTI ID = 0.0 &gt;

With

Where n is a positive integer modulus, R is a Montgomery constant defined as the smallest power of g greater than n, and g is a machine-word base,
The computer unit is further programmed to calculate a modular power b = a ^d mod n ,
Start the first variable with R modulus n,
d _i a _{d k-1, d k-} 2, ... d 1 d _0, and takes a value in each row, the number k calculated times an iterative process wherein each iteration of the iterative process is, and d _i is 0 And if so, inserting a measure to replace the first variable with a Montgomery multiplication of the first variable with R modulus n. 9. The apparatus of claim 8, wherein the computer unit is configured to use a Montgomery transform to calculate the modular power b = a ^d mod n ,
The first variable and the second variable are expressed as R modulus n and a x R modulus n, respectively,
d _i takes values of d _k-1 , d _k-2 , ... d ₁ and d ₀ , respectively, and calculates the number k iterative process - calculating the first variable by the first variable and the self modulus n, If d _i is equal to 1, replacing the first variable by a Montgomery multiplication of the first variable and the second variable modulus n, and if d _i is equal to 0, substituting the first variable by the Montgomery multiplication of the first variable and the second variable modulus n, One measure is to insert a Montgomery multiplication of the R modulus n,
And to replace the first variable with a Montgomery multiplication of the first variable and 1 modulus n. 10. A cryptographic system according to any one of claims 8 to 9, wherein the machine-word-based (g) is 2 ³² .

Images